Safety 101: Main sources of threats penetration

The most dangerous sources and ways of malware penetration are the following:

1. The Internet

The worldwide web is the main source of malware. Malware can penetrate your computer as a result of the following actions:

Visiting a website that contains a malicious code. Drive-by attacks can be taken as an example. A drive-by attack is carried out in two steps. First, a malefactor makes users visit a website by using spam sent via e-mail or published on bulletin boards. The website contains a code that redirects the request to a third-party server that hosts an exploit. During drive-by attacks malefactors use a wide range of exploits that target vulnerabilities of browsers and their plug-ins, ActiveX controls, and third-party software. The server that hosts exploits can use the data from HTTP request headers to get the information about the version of the user's browser and operating system. When the information about the victim's operating system is received, the corresponding exploit is activated. If the attack is successful, a Trojan is secretly installed on the computer, so the malefactors take control of the infected machine. They can get access to confidential data stored on the computer and use the machine to carry out DoS attacks.
Earlier malefactors created malicious websites, but now hackers tend to infect harmless websites by inserting script exploits or redirection codes, which makes browser attacks more dangerous.

2. Email

Email messages received by users and stored in email databases can contain viruses. Malware can be found not only in attachments, but also in a body of a letter. You can infect your computer by opening such a letter or by saving the attached file. Email is a source of two more types of threats: spam and phishing. While spam results only in a waste of your time, the target of phishing letters is your private data, such as credit card numbers.

3. Software vulnerabilities

Software vulnerabilities are most common targets of hacker attacks. Vulnerabilities, bugs and glitches of software grant hackers remote access to your computer, and, correspondingly, to your data, local network resources, and other sources of information.

4. Removable data storage media

Removable drives, flash memory devices, and network folders are commonly used for data transfer. When you run a file from a removable media you can infect your computer and spread the virus to the drives of your machine.

5. Users' actions

Sometimes users infect the computer by installing applications that are disguised as harmless. This method of fraud used by malefactors is known as social engineering. Using various tricks, malefactors make users install their malicious software.

Safety 101: Types of known threats

To know what can threat your data you should know what malicious programs (Malware) exist and how they function. Malware can be subdivided in the following types:

Viruses: programs that infect other programs by adding to them a virus code to get access at an infected file start-up. This simple definition discovers the main action of a virus – infection. The spreading speed of viruses is lower than that of worms.

Worms: this type of Malware uses network resources for spreading. This class was called worms because of its peculiar feature to “creep” from computer to computer using network, mail and other informational channels. Thanks to it spreading speed of worms is very high.

Worms intrude your computer, calculate network addresses of other computers and send to these addresses its copies. Besides network addresses, the data of the mail clients' address books is used as well. Representatives of this Malware type sometimes create working files on system discs, but may not deploy computer resources (except the operating memory).

Trojans: programs that execute on infected computers unauthorized by user actions; i.e. depending on the conditions delete information on discs, make the system freeze, steal personal information, etc. this Malware type is not a virus in traditional understanding (i.e. does not infect other programs or data): Trojans cannot intrude the PC by themselves and are spread by violators as “useful” and necessary software. And still harm caused by Trojans is higher than of traditional virus attack.

Spyware: software that allows to collect data about a specific user or organization, who are not aware of it. You may not even guess about having spyware on your computer. As a rule the aim of spyware is to:

Trace user's actions on computer

Collect information about hard drive contents; it often means scanning some folders and system registry to make a list of software installed on the computer.

Collect information about quality of connection, way of connecting, modem speed, etc.

Collecting information is not the main function of these programs, they also threat security. Minimum two known programs – Gator and eZula – allow violator not only collect information but also control the computer. Another example of spyware are programs embedded in the browser installed on the computer and retransfer traffic. You have definitely come across such programs, when inquiring one address of a web-site, another web-site was opened. One of the spyware is phishing- delivery.

Phishing is a mail delivery whose aim is to get from the user confidential financial information as a rule. Phishing is a form of a social engineering, characterized by attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message. The messages contain link to a deliberately false site where user is suggested to enter number of his/her credit card and other confidential information.

Adware: program code embedded to the software without user being aware of it to show advertising. As a rule adware is embedded in the software that is distributed free. Advertisement is in the working interface. Adware often gathers and transfer to its distributor personal information of the user.

Riskware: this software is not a virus, but contains in itself potential threat. By some conditions presence of such riskware on your PC puts your data at risk. To this software refer utilities of remote administration, programs that use Dial Up-connection and some others to connect with pay-per-minute internet sites.

Jokes: software that does not harm your computer but displays messages that this harm has already been caused, or is going to be caused on some conditions. This software often warns user about not existing danger, e.g. display messages about hard disc formatting (though no formatting is really happening), detect viruses in not infected files and etc.

Rootkit: these are utilities used to conceal malicious activity. They disguise Malware, to prevent from being detected by the antivirus applications. Rootkits can also modify operating system on the computer and substitute its main functions to disguise its presence and actions that violator makes on the infected computer.

Other malware: different programs that have been developed to create other Malware, organizing DoS-attacks on remote servers, intruding other computers, etc. Hack Tools, virus constructors and other refer to such programs.

Spam: anonymous, mass undesirable mail correspondence. Spam is political and propaganda delivery, mails that ask to help somebody. Another category of spam are messages suggesting you to cash a great sum of money or inviting you to financial pyramids, and mails that steal passwords and credit card number, messages suggesting to send them to your friends (messages of happiness), etc. spam increases load on mail servers and increases the risk lose information that is important for the user.

If you suspect that your computer is infected with viruses, we recommend you:

Safety 101: General signs of a malware infection

There is a number of signs or symptoms indicating that your computer is infected. If you have started to notice weird things happening on your PC, such as:

unusual messages, images, or sound signals;

CD-ROM tray opens and closes voluntary;

programs start running without your command;

messages are displayed informing that one of your programs is attempting to access Internet without your command.

then it is likely that your computer is infected with malware.

Additional signs of email infections:

Your friends or colleagues tell you about having received emails sent from your email box which you did not send;

A lot of messages without a sender address and subject in your mailbox.

It must be admitted that such signs are not always explained by presence of malware. They may have some other explanation. For example, the issue with weird emails may be the result of somebody sending infected emails with your sender address from some other computer, not necessarily yours.

There are also indirect signs of a malware infection on your computer:

your PC frequently crashes or hangs;

everything slows down when starting a program;

operating system does not boot;

missing or corrupt files and folders;

excessive hard drive activity (the light on the front of the case flashes frequently);

something is wrong with Microsoft Internet Explorer (it freezes or does not respond to commands, e.g.).

In 90% of cases, these indirect signs are caused by incorrect functioning of some hardware or software. Still, such signs have a little chance of being caused by an infection. If you experience any signs of this type, it is recommended to:

Select the checkbox Delete crypted files after decryption (the utility will be deleting copies of original files with the .locked, .kraken and .darkness extensions).

Click ОК.

In the Kaspersky RakhniDecryptor, click Start scan.

In the Specify the path to one of encrypted files, select the file you need to restore and click Open.

The utility will start recovering the password. Please mind the Warning! window message.

Wait until the utility is done with decrypting the file (do not exit the program or shut down the computer).

Trojan-Ransom.Win32.Rakhni creates the file exit.hhr.oshit which contains the password for decrypting the files in the encrypted form. If the file is preserved on the infected computer, decryption with the RakhniDecryptor tool will take significantly less time. If the exit.hhr.oshit file was deleted, you can try to restore it using special tools and move it to the %APPDATA% folder. After that, you can try runing the tool once again. The exit.hhr.oshit file is usually located in the following folder:

Windows XP: C:\Documents and Settings\<username>\Application Data

Windows Vista/7/8/8.1/10 C:\Users\<username>\AppData\Roaming

The file can be encrypted with the _crypt extension more than once. For example, the file test.doc was encrypted twice. The first encryption layer will be decrypted to test.1.doc.layerDecryptedKLR. In the tool performance report, the line Decryption success: disk:\path\test.doc_crypt -> disk:\path\test.1.doc.layerDecryptedKLR will appear. You will need to decrypt this file using the tool once again. In case of successful decryption, the file will be saved under the original name test.doc.

If the file was encrypted with the _crypt extension, decryption may take a long time. For example, for the Intel Core i5-2400 the procedure may take up to 120 days.

Parameters for running the utility from the command prompt

If you know how to use the command line, using it may help make the decryption process quicker. The RakhniDecryptor tool supports the following command line parameters:

To start the utility for multi-thread password cracking, use the command –threads
For example: RakhniDecryptor.exe –threads 6
The utility starts a 6-thread bruteforce. If the parameter is not specified, the number of threads corresponds to the number of cores.

To restart password cracking from a certain value: –start <number>. To stop password cracking at a certain value: –end <number>.

The lowest value is 0, the highest value is 1000000.

All information about the password cracking process is saved to the report (C:\RakhniDecryptor.<version>_<date>_<creation_time>_log.txt).